Chatter - Cyber Security Risk
Practice with AI
Hone your skills by practicing this case with our AI-powered consultant.
This is the 2024 refreshed version of the Chatter cyber security case (see also Case 1). The company profile and incident are unchanged — Chatter is a social media platform for teenagers that has experienced a device loss — but the PwC team descriptions and supporting news materials reflect the 2024 toolkit update. Candidates assess cyber risks, select the most appropriate PwC team, and pitch for the engagement. Use this version for current-year interview practice.
About Chatter Social media platform launched 2017; target users aged 13–21 Features: photo sharing, status updates, private messaging, in-app games and purchases 30 employees in Birmingham; company iPhones and laptops issued to all staff Cyber security best-practice email distributed but not universally read; no mandatory training completed The Incident A staff member left their company laptop on a train. An unknown individual picked it up and gained access. The device was remotely wiped after the incident was reported — but it is unknown whether any data was accessed or exfiltrated beforehand. Regulatory Exposure (GDPR) Consent required for all data processing Data must be anonymised and breach notifications issued within 72 hours Cross-border data transfers outside the EU/EEA are restricted DPO appointment required in certain circumstances Fines: up to €20 million for non-compliance PwC Cyber Teams (2024 Descriptions) Core Advisory: End-to-end cyber strategy — from risk assessment to designing and implementing secure IT infrastructure and training programmes. Ethical Hackers: Penetration testing to expose technical vulnerabilities; active threat actor tracking and network monitoring. Crisis Team: Attack simulation, crisis planning, and live on-site response during active incidents. Cyber Threat Team: Global threat intelligence — hacking groups, political actors, malware analysis. Identity & Access Management: Least-privilege access governance — ensuring staff only access systems relevant to their role.
Chatter has experienced a data security incident with unknown consequences and has no mandatory training, no formal access controls, and no clear crisis response plan. Its user base — predominantly minors — and its in-app payment infrastructure create outsized GDPR and reputational risk relative to its size. PwC must win a competitive pitch by demonstrating superior diagnostic capability and the most credible remediation plan.
Lead with the culture diagnosis The laptop incident is a symptom, not the root cause. The root cause is a security culture failure: no mandatory training, unmanaged device access, and no incident response procedure. This means even fixing the immediate vulnerability leaves Chatter exposed. Recommend a two-team approach Immediate: Core Advisory — conduct a full asset mapping and risk assessment, implement mandatory training, and design an IAM framework. Parallel: Ethical Hackers — run a penetration test to surface technical vulnerabilities before an external actor does. Win the pitch on regulatory expertise PwC's GDPR and data protection specialists, combined with its cyber team, offer Chatter end-to-end compliance coverage that boutique cyber firms cannot match. This is especially important given the under-18 user base and payment data exposure.
Practice Sessions
Note: Accepted practice sessions will be available in your profile under "My Practice Sessions".
Case Materials
Submissions (0)
Be the first to comment on this case.
Practice with AI
Sharpen your skills by practicing this case with our AI-powered consultant.
Practice Sessions
Note: Accepted practice sessions will be available in your profile under "My Practice Sessions".
